==================================================================
BUG: KASAN: vmalloc-out-of-bounds in copy_play_buf+0x4d1/0x9a0 sound/drivers/aloop.c:603
Write of size 128 at addr ffffc9000f748000 by task kworker/u8:0/10906

CPU: 1 PID: 10906 Comm: kworker/u8:0 Not tainted 6.10.0-rc3-syzkaller-00044-g2ccbdf43d5e7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: events_unbound cfg80211_wiphy_work
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
 copy_play_buf+0x4d1/0x9a0 sound/drivers/aloop.c:603
 loopback_jiffies_timer_pos_update+0xd19/0x1630 sound/drivers/aloop.c:693
 loopback_jiffies_timer_function+0x64/0x240 sound/drivers/aloop.c:706
 call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
 expire_timers kernel/time/timer.c:1843 [inline]
 __run_timers kernel/time/timer.c:2417 [inline]
 __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
 run_timer_base kernel/time/timer.c:2437 [inline]
 run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:ieee80211_sta_get_rates+0x2ff/0x660 net/mac80211/util.c:1552
Code: 84 db 0f 99 c0 44 08 f0 88 44 24 07 4c 8b 74 24 28 49 bc 00 00 00 00 00 fc ff df 45 31 ff 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 <74> 08 4c 89 f7 e8 07 25 f8 f6 49 63 c7 4d 8b 36 4c 8d 2c 40 4b 8d
RSP: 0018:ffffc900038b7798 EFLAGS: 00000246
RAX: 1ffff1100b5d8616 RBX: 000000000000003c RCX: ffff888020bf5a00
RDX: 0000000000000000 RSI: 000000000000003c RDI: 000000000000005a
RBP: 000000000000005a R08: ffffffff8b03c6dc R09: 1ffffffff1f5aa15
R10: dffffc0000000000 R11: fffffbfff1f5aa16 R12: dffffc0000000000
R13: 000000000000000c R14: ffff88805aec30b0 R15: 0000000000000005
 ieee80211_update_sta_info net/mac80211/ibss.c:988 [inline]
 ieee80211_rx_bss_info net/mac80211/ibss.c:1097 [inline]
 ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1578 [inline]
 ieee80211_ibss_rx_queued_mgmt+0x11e1/0x2d70 net/mac80211/ibss.c:1605
 ieee80211_iface_process_skb net/mac80211/iface.c:1605 [inline]
 ieee80211_iface_work+0x8a3/0xf10 net/mac80211/iface.c:1659
 cfg80211_wiphy_work+0x221/0x260 net/wireless/core.c:437
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Memory state around the buggy address:
 ffffc9000f747f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc9000f747f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc9000f748000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc9000f748080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc9000f748100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
----------------
Code disassembly (best guess):
   0:	84 db                	test   %bl,%bl
   2:	0f 99 c0             	setns  %al
   5:	44 08 f0             	or     %r14b,%al
   8:	88 44 24 07          	mov    %al,0x7(%rsp)
   c:	4c 8b 74 24 28       	mov    0x28(%rsp),%r14
  11:	49 bc 00 00 00 00 00 	movabs $0xdffffc0000000000,%r12
  18:	fc ff df
  1b:	45 31 ff             	xor    %r15d,%r15d
  1e:	4c 89 f0             	mov    %r14,%rax
  21:	48 c1 e8 03          	shr    $0x3,%rax
  25:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1)
* 2a:	74 08                	je     0x34 <-- trapping instruction
  2c:	4c 89 f7             	mov    %r14,%rdi
  2f:	e8 07 25 f8 f6       	call   0xf6f8253b
  34:	49 63 c7             	movslq %r15d,%rax
  37:	4d 8b 36             	mov    (%r14),%r14
  3a:	4c 8d 2c 40          	lea    (%rax,%rax,2),%r13
  3e:	4b                   	rex.WXB
  3f:	8d                   	.byte 0x8d